The Flame espionage malware targeting Iranian computers contains code that can completely hijack the Windows update mechanism that Microsoft uses to distribute security patches to hundreds of millions of its users, security researchers said Monday.

Flame components known as "Gadget" and "Munch" allow Flame operators to mount a man-in-the-middle attack against computers connected to a local network that hosts at least one machine already infected by the malware, Kaspersky Lab expert Alexander Gostev wrote in a blog post published Monday. By exploiting weaknesses in Microsoft's Terminal Server product—and poor key-management decisions made by Microsoft engineers—the Flame architects were able produce cryptographic seals falsely certifying that their malicious wares had been produced by Microsoft.

Microsoft issued an emergency update on Sunday that added three certificate authorities to its list of untrusted certificates, but it's unclear how useful such measures will be at repairing the damage. Company officials have yet to acknowledge the susceptibility of the update process or to provide guidance for customers whose networks may already be compromised. A representative with Microsoft's outside PR firm told Ars that Microsoft "doesn't have anything further to share at this time," and referred reporters to a series of blog posts that didn't address these unanswered questions.

According to Kaspersky's Gostev, Flame attackers have been using the same fraudulent Microsoft certificates to spoof the company's widely used Windows update mechanism. Other researchers quickly weighed in on the enormity of the attack.

"Having a Microsoft code signing certificate is the Holy Grail of malware writers," Mikko Hypponen, chief research officer of antivirus provider F-Secure, blogged on Monday. "This has now happened."

A separate blog post published Monday by Symantec researchers further catalogs the enormous data collection capabilities of Flame. The sheer breadth of functionality and size sets it apart," Symantec researchers wrote. "Even describing it as an industrial vacuum cleaner does not do it justice."

The flame modules are able to bypass the legitimate Windows update by setting up a fake server named MSHOME-F3BE293C on networks that host an infected machine. When machines attached to the network run software that advertises itself as an official Microsoft update, the fake server delivers the Flame malware instead, causing those machines to also become infected.

Right now, Microsoft is using its emergency update process to push a patch that mitigates a Windows threat that can hijack the emergency update process. No doubt, end users should install the patch as soon as possible. But it's naive to think this out-of-band fix will repair the damage done to networks already hit by Flame, at least until Microsoft representatives provide additional guidance.

Promoted Comments

Also, based on what I've heard, won't they be able to make more intermediate certificate authorities using the same exploit if all they are doing is updating a blacklist?

The blacklisted intermediate CAs were created by Microsoft.

The intermediate CAs generated by the attackers inherited trust from two of the blacklisted intermediate CAs. As such, all current and future CAs that inherit trust from the 3 blacklisted CAs would be useless, because the chain of trust is now broken.

If the attacker's CAs would have inherited trust directly from the root Microsoft CA, you would be correct. Only blacklisting the root Microsoft CA would have fixed such a problem.

But that would create other problems. Since all signed Windows binaries inherit trust from it, you will need to replace all signed Windows binaries with updated versions that inherit trust from a new root authority before revoking trust in the old one.

That means you will need a service-pack sized update if the root CA is compromised. Let's hope that never happens.

Couldn't the malware block new updates from reaching the computer? if that capability is part of Flame's arsenal I don't see how an emergency fix being pushed through the compromised system is going to have any effect.

Couldn't the malware block new updates from reaching the computer? if that capability is part of Flame's arsenal I don't see how an emergency fix being pushed through the compromised system is going to have any effect.

I was wondering the same. Kind of pointless if they don't release a way to neutralize the malware itself.

Check Windows update, Microsoft is already pushing out the certificate fix. (KB2718704) http://support.microsoft.com/kb/2718704 showed up on my machine this morning and it's not even patch Tuesday.

Please see the part of the article that reads:

Microsoft issued an emergency update on Sunday that added three certificate authorities to its list of untrusted certificates, but it's unclear how useful such measures will be at repairing the damage. Company officials have yet to acknowledge the susceptibility of the update process or to provide guidance for customers whose networks may already be compromised. A representative with Microsoft's outside PR firm told Ars that Microsoft "doesn't have anything further to share at this time," and referred reporters to a series of blog posts that didn't address these unanswered questions.

Also, based on what I've heard, won't they be able to make more intermediate certificate authorities using the same exploit if all they are doing is updating a blacklist?

The blacklisted intermediate CAs were created by Microsoft.

The intermediate CAs generated by the attackers inherited trust from two of the blacklisted intermediate CAs. As such, all current and future CAs that inherit trust from the 3 blacklisted CAs would be useless, because the chain of trust is now broken.

If the attacker's CAs would have inherited trust directly from the root Microsoft CA, you would be correct. Only blacklisting the root Microsoft CA would have fixed such a problem.

But that would create other problems. Since all signed Windows binaries inherit trust from it, you will need to replace all signed Windows binaries with updated versions that inherit trust from a new root authority before revoking trust in the old one.

That means you will need a service-pack sized update if the root CA is compromised. Let's hope that never happens.

Couldn't the malware block new updates from reaching the computer? if that capability is part of Flame's arsenal I don't see how an emergency fix being pushed through the compromised system is going to have any effect.

If Flame is targeting your computer (i.e. if a Flame-based fake Windows Update site has been installed between you and the real Windows Update site), this won't have any effect and you won't be able to get the real update (the fake Windows Update site is likely to provide a fake update to you to make you feel better). If Flame has already compromised your computer, this won't help either.

If Flame has not yet compromised your computer and you apply the patch, you will be protected from Flame or other malware that is pretending to be Windows Update using the compromised certificate.

On the assumption that Flame is mostly targeting Internet sites in Iran, you should be ok if you apply the fix. The fix won't resolve anything if you've already been attacked, but it closes off the possibility of an attack if you haven't already been attacked.

This whole Windows Update thing confuse me. The impression i get from elsewhere is that it needs a AD domain that it can advertize itself as some kind of proxy on. From that i wonder if this is targeting WSUS rather than Windows Update directly (tho having to separate systems being named virtually the same is not helping).

If Flame is targeting your computer (i.e. if a Flame-based fake Windows Update site has been installed between you and the real Windows Update site), this won't have any effect and you won't be able to get the real update (the fake Windows Update site is likely to provide a fake update to you to make you feel better).

Only if your system's proxy settings are set to "Automatically detect settings", which is how you would pick up the infected system's proferred updates as it will helpfully offer to proxy for you. Yet another instance of where automagical settings in a group policy are bad. Or disabling windows updates, god dammit.

When machines attached to the network run software that advertises itself as an official Microsoft update, the fake server delivers the Flame malware instead, causing those machines to also become infected.

If i'm running a piece of software, I've already downloaded it. How does possessing a faked cert magically cause my machine to connect to another server and download yet another piece of software with the flame malware on it?

I'm assuming you meant that my machine could run a piece of software that it thought was a legitimate update, but was actually the flame malware. Since it's signed by a seemingly valid WU cert, my machine would trust it. That's bad, no question.

But how does my machine get the fake update in the first place? As I said, I don't look for updates on MSHOME-F3BE293C.

Also, what is special and noteworthy about being able to fake the windows update code signing cert (aside from showing that MS needs to protect their keys better)? What can this cert do that other code signing certificates can't? Because anyone can buy one of those for around $400.00.

Is this any worse than forging something like the nvidia code signing certificate? If you can install to kernal mode, does it really matter if it was a compromised MS key vs any other trusted key?

If there's any truth to this it's just plain scary. My clients all have WSUS setup and pointed to by group policy, so I guess they are safe so long as the WSUS server isn't compromised. I recently setup a domain at home, also with WSUS (bored one day, figured why not) so I guess they are safe, too.

But I shudder to think of all those people that rarely install updates on their home machines, and what havoc this might cause.

This whole Windows Update thing confuse me. The impression i get from elsewhere is that it needs a AD domain that it can advertize itself as some kind of proxy on. From that i wonder if this is targeting WSUS rather than Windows Update directly (tho having to separate systems being named virtually the same is not helping).

Well group policy should keep Windows Update clients pointed to the right system. This is prolly a good argument for setting up WSUS over SSL, assuming of course that the server certificate doesn't get compromised, either =P More and more the CA system is looking like a bad system.

Was rooting for more info on this, and found this tidbit on Microsoft's site:

Due to its age, many of the malware components only appear to function properly on certain Windows versions prior to Vista, such as Windows XP and Windows 2003.

So, IOW, the main culprit, again, is people not running updated systems. Regardless of malicious intent, the victims deserve a good deal of blame. It's more or less the digital equivalent of leaving a car unlocked on the street with the keys in the ignition--pretty much inviting theft...

Because you are set to automatically detect proxy settings and the infected "server" responds to your WAPD request. That detail was left out of the Ars synopsis. Disable autodetecting proxy settings immediately.

Because you are set to automatically detect proxy settings and the infected "server" responds to your WAPD request. That detail was left out of the Ars synopsis. Disable autodetecting proxy settings immediately.

"Microsoft has not been working with US government authorities to support the government's cyber operations. Microsoft has definitely not created any back doors in its Windows operating systems that would enable US security officials to create malware that exploits these loopholes.

The flame modules are able to bypass the legitimate Windows update by setting up a fake server named MSHOME-F3BE293C on networks that host an infected machine. When machines attached to the network run software that advertises itself as an official Microsoft update, the fake server delivers the Flame malware instead, causing those machines to also become infected.

So, if I understand this correctly, if I have a standalone system connected to just my ISP, or a small network that doesn't already have an infected machine, I shouldn't worry about this Windows Update vector?

The introduction of Flame was like opening Pandora's Box. I'm not a code writer so I don't really get it: can Flame and its modules be adapted for more nefarious purposes? For some reason I see an onslaught of bad code hitting soon.

Due to its age, many of the malware components only appear to function properly on certain Windows versions prior to Vista, such as Windows XP and Windows 2003.

So, IOW, the main culprit, again, is people not running updated systems. Regardless of malicious intent, the victims deserve a good deal of blame. It's more or less the digital equivalent of leaving a car unlocked on the street with the keys in the ignition--pretty much inviting theft...

The introduction of Flame was like opening Pandora's Box. I'm not a code writer so I don't really get it: can Flame and its modules be adapted for more nefarious purposes? For some reason I see an onslaught of bad code hitting soon.

Yes, this was mentioned in an earlier story about the discovery that Stuxnet & Flame are cyberweapons deployed by US and allies.

One of the things that made these difficult to detect is that they made no effort to make the code difficult to decompile and study. Apparently the efforts to disguise code has become so common that the obfuscation of the code is in fact one of the identifying features. Since these are simple and clear they flew under the radar of searchers looking for obfuscation.

This simplicity and well structured code makes it relatively simple for hackers around the world to decompile these tools and use the concepts & modules in new works.

This article fails to point out the exploits that allows Flame to even infect your system are over 2 years old. Flame itself seems not only to have existed over 2 years ago, the entire anti-virus industry failed to detect it, because it was signed.

Anyone who is worried about this infection, all they have to do, is update their system.

Natural mutations in nature defend against entires species being wiped out by a single virus or disease. It surprises me that this principle has not been applied to the design of computer operating systems. Every system on a platform like Windows is essentially a clone in order to ease interoperability (i.e. run binaries), yet UNIX systems worked fine with Alpha and Sparc hardware differences with all the code distributed as source to be compiled by each workstation - surely, that is a wiser solution. The trend towards just-in-time compilation of secure, bounds-checked, virtual machine code seen in JavaScript, whilst not perfect, must be considered a step in the right direction away from trusting random .exe files. The authority we give PC software to muck about with our filing systems seems worryingly naive - a single "gatekeeper" is passed and then they have the entire filing system hierarchy to muck around with, perhaps they should only get to create their own subdirectory in which they host their own application preferences and user created files so that there is no need for a generally editable Registry. Even so there would need to be some restriction on their use of memory and cpu authorised by the user (safeguarding against Worms and Denial of Service) - I seem to recall AT&T doing some work on this with Telescript agents in Magic Cap.

Well there is some runtime "mutations" going on these days. Each time a computer boots now, the memory address map is "scrambled" so that it becomes harder to do buffer overflows into a predictable address space.

Thing is tho that this may break legacy binaries. As such, i am unsure if Windows applies it across all binaries these days or just the core Windows binaries.

Due to its age, many of the malware components only appear to function properly on certain Windows versions prior to Vista, such as Windows XP and Windows 2003.

This appears to conflict with the following:

"Our suspicion was heightened because fully patched Windows 7 machines were being infected over the network in a very suspicious manner.

We can now confirm this is the main purpose of a special module of Flame called “Gadget” together with another module called “Munch”.(NOTE: It’s important to understand that the initial Flame infection could still be happening through zero-day vulnerabilities. The “Gadget” module is simply used to spread within a network from a machine that is already infected with the malware)."http://www.securelist.com/en/blog/20819 ... identified

The introduction of Flame was like opening Pandora's Box. I'm not a code writer so I don't really get it: can Flame and its modules be adapted for more nefarious purposes? For some reason I see an onslaught of bad code hitting soon.

I'm having a hard time imagining what purpose it might be put to that is more nefarious than what it already does.

Natural mutations in nature defend against entires species being wiped out by a single virus or disease. It surprises me that this principle has not been applied to the design of computer operating systems. Every system on a platform like Windows is essentially a clone in order to ease interoperability (i.e. run binaries), yet UNIX systems worked fine with Alpha and Sparc hardware differences with all the code distributed as source to be compiled by each workstation - surely, that is a wiser solution.

Were you there when the world was working seamlessly across dozens of different Unix-based systems? I'm guessing the answer is 'no' or you would not have made such an absurd claim.

does every computer everywhere always need to be online? noooooooo you joke right? seriously, I run a 3-2-1 zone defense at home on my network. 1 being my home hub. 2 being my game rigs. they sit behind my 3 active all time pc's that are my testers on a separate line. so i can download and inspect and then deploy to my other of the 3 pc's to verify if such and such program is clean , BEFORE, I let it into my inner ring. -.- Geeezzz with all of these new computers, people sure are getting dumb.

true true, but when you run a zone defense, you have selective control over not only what comes up dirty or not,what has been flagged, but also what you finally do install, and even when, you install it. Just because you got a notice from MS in your auto updater saying such and such is a threat , does not mean if you dont install your pc will die. You can take your time.